Link to home
Start Free TrialLog in
Avatar of Schuyler Dorsey
Schuyler DorseyFlag for United States of America

asked on

Splunk - receiving data from univ. forwarder

Hey experts! I am evaluating Splunk for a client. I have deployed the server piece and installed the universal forwarder onto a few Windows servers. I noticed the logs from these servers appeared to not be showing in search results.

I checked the splunkd file and the last line shows a successful connection to the Splunk server. During the install wizard of the univ forwarder, I just accepted the defaults.

Is there a configuration piece I am missing?
Avatar of Schuyler Dorsey
Schuyler Dorsey
Flag of United States of America image

ASKER

FYI the Univ. Forwarder sends the App, System and Security logs by default.
I have an index created for wineventlog and msad. Just accepted defaults for these.
I think I got it. After rebooting the indexer, some logs are appearing in search results. Will monitor to confirm resolution.
Avatar of btan
btan

if you check the output.conf comments, it stated "# You must restart Splunk to enable configurations."

http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Outputsconf

also it stated restart forwarder for some configuration changes.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Deploymentoverview#General_configuration_issues
ASKER CERTIFIED SOLUTION
Avatar of Schuyler Dorsey
Schuyler Dorsey
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks for sharing hope my post has help though
Correct answer.